一、實(shí)驗(yàn)環(huán)境介紹
1)vsrx 12.1X47-D20.7
創(chuàng)新互聯(lián)自2013年起,先為方城等服務(wù)建站,方城等地企業(yè),進(jìn)行企業(yè)商務(wù)咨詢服務(wù)。為方城企業(yè)網(wǎng)站制作PC+手機(jī)+微官網(wǎng)三網(wǎng)同步一站式服務(wù)解決您的所有建站問題。
二、實(shí)驗(yàn)拓?fù)?br/>
vSRXA1與vSRXA2之間建議Chassis Cluster
ge-0/0/0為帶外管理接口(系列默認(rèn),不可改)
ge-0/0/1為control-link(系統(tǒng)配置,不可改)
ge-0/0/4為data-link(手工配置,可改)
control-link與data-link采用背靠背的連接方式。
在低端的SRX防火墻帶外管理接口、控制接口、數(shù)據(jù)接口都是業(yè)務(wù)接口。
在高端的SRX防火墻管理接口、控制接口即為專用接口,只有數(shù)據(jù)接口為業(yè)務(wù)接口。
在HA中node1的接口序號(hào)將發(fā)生變化,在vSRX虛擬器上轉(zhuǎn)為為一個(gè)7槽的設(shè)備(即slot 0、1、2、3、4、5、6)
node0的接口序號(hào)為ge-0/0/0、ge-1/0/0....ge-6/0/0
node1的接口序號(hào)為ge-7/0/0、ge-8/0/0...ge-13/0/0
三、SRX 從單機(jī)模式到HA模式,需要重啟防火墻
vSRXA1:
set chassis cluster cluster-id 1 node 0 reboot
vSRXA2:
set chassis cluster cluster-id 1 node 1 reboot
2) vSRX重啟后自動(dòng)加入HA模式
{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 1 secondary no no None
{primary:node0}
root>
注: 低端的SRX防火墻中,control-link是預(yù)置的,只要防火墻工作于HA模式,ge-0/0/1就為control-link。但是在高端SRX防火墻中有專門的control-link需要手工配置,特別是在SRX5K中。如果不配置control-link防火墻將不能正常啟動(dòng),SRX5K配置control-link Port命令如下:
set chassis cluster control-ports fpc 2 port 0
set chassis cluster control-ports fpc 5 port 0
四、SRX防火墻HA的配置順序如下(在master防火墻操作即可)
1)配置管理接口(node0/1的管理地址及backup-router配置)
2)配置HA防火墻data-link接口(ge-0/0/1)
3)配置HA的Redundancy groups(默認(rèn)0為控制平面,其它為數(shù)據(jù)平面)
4)配置HA中的業(yè)務(wù)接口RETH
5)配置HA的切換參數(shù)
6)根據(jù)以上配置順序操作,便于異常的反推排查
五、SRX防火墻HA的配置步驟(在master防火墻操作即可)
1)配置管理接口及backup-router路由
{primary:node0}[edit groups]
root# show | display set
set groups node0 system host-name vSRXA1
set groups node0 system backup-router 192.168.100.254
set groups node0 system backup-router destination 192.168.100.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.2/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
set groups node1 system host-name vSRXA2
set groups node1 system backup-router 192.168.100.254
set groups node1 system backup-router destination 192.168.100.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.3/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.100.1/24 master-only
/調(diào)用前面配置的group node0/1,并提交配置保存 /
{primary:node0}[edit]
root# set apply-groups ${node}
{primary:node0}[edit]
root# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete
{primary:node0}[edit]root@vSRXA1#
br/>root@vSRXA1#
查看node0和node1的狀態(tài)/
{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.1/24 (group中master-only的作用)
{primary:node0}[edit]
root@vSRXA1#
{secondary:node1}
root@vSRXA2> show interfaces terse | match fxp0
fxp0 up up
fxp0.0 up up inet 192.168.100.3/24
{secondary:node1}
root@vSRXA2>
2)配置HA的data-link,配置的關(guān)鍵字為fab
{primary:node0}[edit]
root@vSRXA1# show interfaces | match fab | display set
set interfaces fab0 fabric-options member-interfaces ge-0/0/4
set interfaces fab1 fabric-options member-interfaces ge-7/0/4
末配置前的狀態(tài)信息:
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled
Fabric link status: Down
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0
fab0
fab1
fab1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
{primary:node0}[edit]
root@vSRXA1# run show interfaces terse | match fab
fab0 up down
fab0.0 up down inet 30.17.0.200/24
fab1 up down
fab1.0 up down inet 30.18.0.200/24
{primary:node0}[edit]
root@vSRXA1#
配置后的狀態(tài)信息:
{primary:node0}
root@vSRXA1> show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
{primary:node0}
root@vSRXA1> show interfaces terse | match fab
ge-0/0/4.0 up up aenet --> fab0.0
ge-7/0/4.0 up up aenet --> fab1.0
fab0 up up
fab0.0 up up inet 30.17.0.200/24
fab1 up up
fab1.0 up up inet 30.18.0.200/24
{primary:node0}
root@vSRXA1>
3)配置HA的Redundancy groups(默認(rèn)只有g(shù)roup 0 優(yōu)先級(jí)為1,可以手工配置)
{primary:node0}[edit chassis cluster]
root@vSRXA1# show | display set
set chassis cluster reth-count 8
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
查看redundant group的狀態(tài):
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}[edit]
root@vSRXA1#
4)配置HA環(huán)境中下的業(yè)務(wù)接口reth(將物理接口加入到reth組中)
{primary:node0}[edit]
root@vSRXA1# show interfaces | match reth | display set
set interfaces ge-0/0/2 gigether-options redundant-parent reth0
set interfaces ge-0/0/3 gigether-options redundant-parent reth2
set interfaces ge-7/0/2 gigether-options redundant-parent reth0
set interfaces ge-7/0/3 gigether-options redundant-parent reth2
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth2 redundant-ether-options redundancy-group 1
查看reth接口的狀態(tài):
root@vSRXA1# run show interfaces terse | match reth
ge-0/0/2.32767 up up aenet --> reth0.32767
ge-0/0/3.32767 up up aenet --> reth2.32767
ge-7/0/2.32767 up up aenet --> reth0.32767
ge-7/0/3.32767 up up aenet --> reth2.32767
reth0 up up
reth0.32767 up up
reth2 up up
reth2.32767 up up
{primary:node0}[edit]
root@vSRXA1#
{primary:node0}[edit]
root@vSRXA1# run show chassis cluster interfaces | no-more
Control link status: Up
Control interfaces:
Index Interface Monitored-Status Internal-SA
0 fxp1 Up Disabled
Fabric link status: Up
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/4 Up / Up
fab0
fab1 ge-7/0/4 Up / Up
fab1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth2 Up 1
Redundant-pseudo-interface Information:
Name Status Redundancy-group
lo0 Up 0
{primary:node0}[edit]
root@vSRXA1#
5)node0/1之間的切換(手工切換)
root@vSRXA1> request chassis cluster failover redundancy-group 0 node 1
root@vSRXA1> request chassis cluster failover redundancy-group 1 node 1
手工切換后的優(yōu)先級(jí)會(huì)達(dá)到255,需要手工恢復(fù)。
request chassis cluster failover reset redundancy-group 1
至此,SRX Chassi Cluster就可以正常使用了,如果需要修改其它參數(shù)請參數(shù)鏈接:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-overview.html
下文將介紹,SRX HA接口的IP配置和路由配置的方法,謝謝!
網(wǎng)站欄目:JuniperSRX防火墻HA配置
URL網(wǎng)址:http://jinyejixie.com/article32/ijjcsc.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供微信公眾號(hào)、ChatGPT、全網(wǎng)營銷推廣、Google、網(wǎng)站營銷、網(wǎng)站建設(shè)
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源: 創(chuàng)新互聯(lián)